CVE-2019-16941
📋 TL;DR
CVE-2019-16941 allows arbitrary code execution in NSA Ghidra when experimental mode is enabled and a maliciously modified XML document is processed through the Read XML Files feature. This affects Ghidra users who enable experimental features and process untrusted XML files. Attackers can execute arbitrary commands on the system running Ghidra.
💻 Affected Systems
- NSA Ghidra
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with attacker gaining complete control over the host running Ghidra, potentially leading to data theft, lateral movement, or persistence establishment.
Likely Case
Local privilege escalation or arbitrary command execution in the context of the Ghidra user, allowing file system access, data exfiltration, or further exploitation.
If Mitigated
No impact if experimental mode is disabled or untrusted XML files are not processed.
🎯 Exploit Status
Exploitation requires user interaction to load malicious XML file. Public proof-of-concept code exists demonstrating arbitrary command execution.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Fixed in commit a17728f8c12effa171b17a25ccfb7e7d9528c5d0 and subsequent releases
Vendor Advisory: https://github.com/NationalSecurityAgency/ghidra/issues/1090
Restart Required: Yes
Instructions:
1. Update Ghidra to version 9.1 or later. 2. Download from official GitHub releases. 3. Replace existing installation. 4. Restart Ghidra.
🔧 Temporary Workarounds
Disable Experimental Mode
allPrevent exploitation by disabling experimental features in Ghidra
In Ghidra: Edit → Tool Options → Experimental → Uncheck 'Enable Experimental Features'
Restrict XML Processing
allAvoid processing untrusted XML files with Byte Patterns Explorer
Do not use 'Read XML Files' feature on untrusted XML documents
🧯 If You Can't Patch
- Disable experimental mode in Ghidra settings
- Implement strict policy against processing untrusted XML files with Ghidra
🔍 How to Verify
Check if Vulnerable:
Check Ghidra version: Help → About Ghidra. If version is 9.0.4 or earlier and experimental mode is enabled, system is vulnerable.Check Version:
In Ghidra: Help → About GhidraVerify Fix Applied:
Verify Ghidra version is 9.1 or later, or check that commit a17728f8c12effa171b17a25ccfb7e7d9528c5d0 is included in your build.📡 Detection & Monitoring
Log Indicators:
- Unusual Java process spawning child processes
- XML parsing errors in Ghidra logs
- Unexpected command execution from Ghidra process
Network Indicators:
- Outbound connections from Ghidra process to unexpected destinations
SIEM Query:
process_name:java AND parent_process:ghidra.exe AND cmdline:*Runtime.exec*🔗 References
- https://github.com/NationalSecurityAgency/ghidra/blob/79d8f164f8bb8b15cfb60c5d4faeb8e1c25d15ca/Ghidra/Features/BytePatterns/src/main/java/ghidra/bitpatterns/info/FileBitPatternInfoReader.java#L187-L188
- https://github.com/NationalSecurityAgency/ghidra/commit/a17728f8c12effa171b17a25ccfb7e7d9528c5d0
- https://github.com/NationalSecurityAgency/ghidra/issues/1090
- https://github.com/purpleracc00n/CVE-2019-16941
- https://twitter.com/NSAGov/status/1178812792159248385
- https://www.symantec.com/security-center/vulnerabilities/writeup/110223?om_rssid=sr-advisories
- https://github.com/NationalSecurityAgency/ghidra/blob/79d8f164f8bb8b15cfb60c5d4faeb8e1c25d15ca/Ghidra/Features/BytePatterns/src/main/java/ghidra/bitpatterns/info/FileBitPatternInfoReader.java#L187-L188
- https://github.com/NationalSecurityAgency/ghidra/commit/a17728f8c12effa171b17a25ccfb7e7d9528c5d0
- https://github.com/NationalSecurityAgency/ghidra/issues/1090
- https://github.com/purpleracc00n/CVE-2019-16941
- https://twitter.com/NSAGov/status/1178812792159248385
- https://www.symantec.com/security-center/vulnerabilities/writeup/110223?om_rssid=sr-advisories
